| File name: | pamela.doria@minerasancristobal.com.zip |
| Full analysis: | https://app.any.run/tasks/b78697c4-9f55-4b7d-83cc-92b7d2fc5c6b |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | May 22, 2026, 21:22:05 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v4.5 to extract, compression method=deflate |
| MD5: | 5CB52937ED4BAFA0E7FB996177AF8C50 |
| SHA1: | 77DAD217FF0170D2F6A66CF4CE6E83BFAC082362 |
| SHA256: | A5708C8987EC5D93BC654A293BFD205AFADC9248A877089BC5D773462E11A312 |
| SSDEEP: | 49152:xnB2SHWhTKNiLSfkUa9D1RuV2PnCIZh1v/5QE+HC3AOPrfJ2tVZyoOizBg8SHw6W:xnByYNiLpD1RW2Pnt3/5QN+ASrfkVRB/ |
MALICIOUS
Known privilege escalation attack
- dllhost.exe (PID: 8992)
FORMBOOK has been detected
- firefox.exe (PID: 7924)
- WWAHost.exe (PID: 5440)
- firefox.exe (PID: 3112)
- firefox.exe (PID: 5664)
- firefox.exe (PID: 6844)
- firefox.exe (PID: 2684)
- firefox.exe (PID: 5420)
- firefox.exe (PID: 6240)
- firefox.exe (PID: 7816)
- firefox.exe (PID: 5584)
- firefox.exe (PID: 8832)
- firefox.exe (PID: 9028)
- firefox.exe (PID: 2940)
- firefox.exe (PID: 6108)
Changes Windows Defender settings
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Adds path to the Windows Defender exclusion list
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
FORMBOOK has been detected (YARA)
- WWAHost.exe (PID: 5440)
SUSPICIOUS
Reads Microsoft Outlook installation path
- WinRAR.exe (PID: 5384)
Probably UAC bypass using CMSTP.exe (Connection Manager service profile)
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
Used cmstp for execute code hidden within an inf file
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
Application launched itself
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Starts POWERSHELL.EXE for commands execution
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Adds exclusion path to Windows Defender (POWERSHELL)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Uses TASKKILL.EXE to kill process
- dllhost.exe (PID: 8992)
File deletion via cmd.exe
- cmd.exe (PID: 4932)
INFO
Manual execution by a user
- firefox.exe (PID: 8100)
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- WinRAR.exe (PID: 2792)
- WWAHost.exe (PID: 5440)
Reads Microsoft Office registry keys
- WinRAR.exe (PID: 5384)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 5384)
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Application launched itself
- firefox.exe (PID: 8100)
- firefox.exe (PID: 7924)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2792)
- firefox.exe (PID: 7924)
Launching a file from the Downloads directory
- firefox.exe (PID: 7924)
Reads the computer name
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8132)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Checks supported languages
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
- Solicitud de orden de compra OC 26003850.exe (PID: 8132)
Reads the machine GUID from the registry
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Disables trace logs
- cmstp.exe (PID: 7312)
Process checks computer location settings
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
.NET Reactor protector has been detected
- Solicitud de orden de compra OC 26003850.exe (PID: 8040)
- Solicitud de orden de compra OC 26003850.exe (PID: 8232)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 8612)
The sample compiled with english language support
- firefox.exe (PID: 7924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(5440) WWAHost.exe
C2 (1)www.finance77-laudantium.pro/ge47/
Decoy C2 (64)venloria.us
bythebellboxing.com
dakarcocktail.com
wrqgd.xyz
furbabyfortune.shop
thousandoaksbsalandscaping.com
fixitfuego.online
contexception.com
bosslifesa.com
happybusiness.fr
pokerdom-kasinos-site.ru
getscalespilot.co
eqtreporting.com
jefyd.top
taskforcebot.com
spectrumcomercial.com
43dqb.top
ncooleyrealty.com
usemention.ai
droppingjulzz.com
neurowellnesslab.site
twgxcc.art
h38zn.top
duo240.top
myleadsgen.co
maedso.com
park-promote-portability.xyz
appliancerookies.shop
biforin.com
assessoriabr.com
dtu92.top
nettflex.site
911itg.com
valentinar.ru
hup30.top
chipskk.com
bethq.work
naturalstone.store
marineinsurer.one
dojcatena.com
sydneyjoos.com
aitooling.ru
j3152xx.cc
cutoffwheelsrus.com
pepxly.makeup
inscritos20266.online
projectyola.click
c8un2-bz0ox-ecsxpp.xyz
souldiggin.com
lillyandlark.com
adrisex.com
zavixaro.shop
4554.tw
heyarefamily.store
topclickgaming735.info
yinboxops.co
uj3gb7q.shop
clawbytes.xyz
mt9sx9.asia
i4feaqo5h.xyz
12points.se
carolinabiscaro.net
continuumclothing.com
ozenziraat.com
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 45 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2026:05:22 21:16:00 |
| ZipCRC: | 0x904f5535 |
| ZipCompressedSize: | 4294967295 |
| ZipUncompressedSize: | 4294967295 |
| ZipFileName: | 14dd6260-1c87-4114-1521-08deb8428fb3/b5fd0f98-26a0-1820-5047-4f74c50cac7c.eml |
Total processes
180
Monitored processes
36
Malicious processes
17
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2684 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4964 -prefsLen 45425 -prefMapHandle 4968 -prefMapSize 273045 -ipcHandle 4952 -initialChannelId {4129e267-2a79-43b6-9d47-a618fbc265c6} -parentPid 7924 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7924" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 2792 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Solicitud de orden de compra OC 26003850 (extract.me).zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2940 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 3556 -prefsLen 37299 -prefMapHandle 3560 -prefMapSize 273045 -ipcHandle 3368 -initialChannelId {679d6320-b33c-46b5-80e6-6bfee9bed638} -parentPid 7924 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7924" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 3016 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3112 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2032 -prefsLen 36580 -prefMapHandle 2036 -prefMapSize 273045 -ipcHandle 2084 -initialChannelId {b0118574-2906-4e43-b9d0-a00e8dd7a6bc} -parentPid 7924 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7924" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 3696 | taskkill /IM cmstp.exe /F | C:\Windows\SysWOW64\taskkill.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4932 | /c del "C:\Users\admin\Desktop\Solicitud de orden de compra OC 26003850.exe" | C:\Windows\SysWOW64\cmd.exe | — | WWAHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5384 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\pamela.doria@minerasancristobal.com.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 5408 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6820 -prefsLen 39837 -prefMapHandle 6824 -prefMapSize 273045 -jsInitHandle 6828 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 6784 -initialChannelId {b2d26523-35e8-461d-baa4-0d6c6eb90290} -parentPid 7924 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7924" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 5420 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5012 -prefsLen 39429 -prefMapHandle 5016 -prefMapSize 273045 -jsInitHandle 5020 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5028 -initialChannelId {78ce2c0f-49c2-4cf1-81db-0412bcf40cea} -parentPid 7924 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7924" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
Total events
0
Read events
0
Write events
0
Delete events
0
Modification events
Executable files
6
Suspicious files
361
Text files
123
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8072 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook1.pst | — | |
MD5:— | SHA256:— | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C3A2201.dat | image | |
MD5:0E51D76DF7F25EF0E092DF0692517640 | SHA256:0563951D7D8F34249239141D7559AC79643AED342549E49AE85B7EA1EAEA8A4B | |||
| 5384 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb5384.7341\b5fd0f98-26a0-1820-5047-4f74c50cac7c.eml | binary | |
MD5:0E51D76DF7F25EF0E092DF0692517640 | SHA256:0563951D7D8F34249239141D7559AC79643AED342549E49AE85B7EA1EAEA8A4B | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DAAB32CF-6E07-44E2-AB5E-7EB0A82024AC | xml | |
MD5:FE3306103FF457519A29BF1FCC737899 | SHA256:2E8C3129C245B9CBE2A0C39C663592504043B2A6BB4F57906C6D134ED72E77D1 | |||
| 5384 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb5384.7341\b5fd0f98-26a0-1820-5047-4f74c50cac7c.eml:OECustomProperty | binary | |
MD5:F6070E55637A0A0FD1B44541E0C887A2 | SHA256:D32E86DE66C7206F30D6C795F6BCEDD50332CF6A819E1140B58A9A47F3F20301 | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | binary | |
MD5:ED782AE9FC61D07B3693BDC87D97C185 | SHA256:4EDB8E2FC7B925470A3A9F5E8274403A6E28215773669A7C2129A4AE6C93EA3A | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\olk2333.tmp | binary | |
MD5:95DBDB3818756A4DE874A99589C613C8 | SHA256:5693E1D80C1300967DFB6A97F1735DA13BE9A0D33169D4A9CE547426FB625EF2 | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DEA34B7.dat | image | |
MD5:00F56659F3A482EA3772DD59592D94D2 | SHA256:22F614B712CC2FA3A8AA4062240517CFCFA6BF679BADD1120D5B0013E1B4AAA5 | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EA99200E.dat | image | |
MD5:BA7D8AA2A3DD0F7BC62A475B354A3FC9 | SHA256:415A2DC239A0005C111DC9EAA4075DC8887F57DB3C211F80D205E7821D9DC34C | |||
| 8072 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:293F92D02EB202FC67FF686FD0A33575 | SHA256:F9F1BB737524A5C24261142F8DE3FB210F3E1E6196E3704B5F11A8E93FF89929 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
521
TCP/UDP connections
146
DNS requests
207
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5316 | svchost.exe | POST | 400 | 40.126.32.138:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 200 | 40.126.32.138:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
5316 | svchost.exe | GET | 200 | 23.11.40.157:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | NL | binary | 471 b | whitelisted |
5316 | svchost.exe | POST | 400 | 40.126.32.138:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 204 b | whitelisted |
5316 | svchost.exe | POST | 400 | 40.126.32.138:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 204 b | whitelisted |
5316 | svchost.exe | POST | 400 | 40.126.32.138:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 204 b | whitelisted |
4872 | svchost.exe | GET | 200 | 184.24.77.7:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
4872 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
4872 | svchost.exe | GET | 200 | 48.209.138.189:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | text | 5.84 Kb | whitelisted |
8072 | OUTLOOK.EXE | GET | 200 | 52.110.17.68:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3 | US | xml | 189 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5276 | MoUsoCoreWorker.exe | 48.209.138.189:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 48.192.1.64:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4872 | svchost.exe | 48.209.138.189:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5316 | svchost.exe | 40.126.32.138:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3428 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5316 | svchost.exe | 23.11.40.157:80 | ocsp.digicert.com | AKAMAI-AMS | NL | whitelisted |
4872 | svchost.exe | 184.24.77.7:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
4872 | svchost.exe | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4872 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2232 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
2232 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
2232 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com) |
7924 | firefox.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] ZIP Archive Download Containing EXE File |